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Abstract 

As  more  resotirces  are  added  to  computer  networksF  and  as  more  vindors  look  to  the  World  Wide  Web  as 
a  viable  marketplaceF  the  importance  of  being  able  to  restrict  access  and  to  insure  some  kind  of  acceptable 
behavior  even  in  the  presence  of  malicions  intruders  becomes  paramount.  People  have  looked  to  cryptography 
to  help  solve  many  of  these  problems.  HoweverF  cryptograply  itself  is  only  a  tool.  The  security  of  a  system 
depends  not  only  on  the  cryptosystem  being  iisedFbut  also  on  hov)  it  is  used.  TypicallyF  researhers  have 
proposed  the  use  of  security  protocols  to  provide  these  security  guarantees.  These  protocols  consist  of  a 
sequence  of  messagesF  may  with  encrypted  part,s.  In  this  paperF  w  develop  a  way  of  verifying  these  protocols 
using  model  ehecMng.  Model  checking  has  proven  to  be  a  very  useful  technique  for  verifying  hardware  designs. 
By  modelling  circuits  as  finite-state  machinesF  and  examining  all  possible  execution  tracesF  modelhecking 
has  found  a  number  of  errors  in  real  world  designs.  Like  hardware  designsF  securi^  protocols  are  very  subtleF 
and  c^n  also  have  bugs  which  are  difficult  to  find.  By  examining  all  possible  execution  traces  of  a  security 
protocol  in  the  presence  of  a  malicious  intruder  with  well  defined  capabilitioAsF  wi  can  determine  if  a  protocol 
does  indeed  enforce  its  security  guarantees.  If  notF  w  can  provide  a  sample  trace  of  an  attack  on  the  protocol. 
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Introduction 


Security  for  early  computers  was  provided  by  their  physical  isolation.  Unauthori:£ed  access  to  these  machines 
was  prevented  by  restricting  physical  access.  The  importance  of  sharing  computing  resources  led  to  systems 
where  users  had  to  authenticate  themselvesF  usually  providing  a  name/password  pair.  This  was  sufficient 
if  the  user  needed  to  be  physically  at  the  console  or  was  connected  to  the  machine  across  a  secure  link. 
HoweverF  the  efficiency  to  bo  gained  ly  sharing  data  and  computing  resources  has  led  to  computer  networksF 
in  which  the  communication  channels  cannot  always  be  trusted.  In  this  caseF  autheikication  information  such 
as  the  name/password  pairs  could  be  intercepted  and  even  replayed  to  gain  unauthorized  access.  When  such 
networks  were  local  to  a  certain  user  community  and  isolated  from  the  rest  of  the  worldF  may  were  willing 
take  this  risk  and  to  place  their  trust  in  the  community.  HoweverF  in  order  to  be  able  to  share  information 
with  those  outside  the  communityF  this  isolation  W)uld  have  to  be  removed.  The  benefits  to  be  had  by  such 
sharing  have  been  enormousF  and  the  gains  are  demonstrated  \y  the  growt,h  of  such  entities  as  the  Internet 
and  the  World  Wide  Web.  NowF  vjry  fewF  if  ay  gtiarantees  can  be  made  about  the  communication  links. 
Numerous  protocols  that  take  advantage  of  cryptography  have  been  proposed  that  claim  to  solve  many  of 
the  security  issues.  The  correctness  of  these  protocols  is  paramountFespecially  when  wo  consider  the  size 
of  the  networks  involved  and  the  dcxsiro  of  tisers  to  place  confidential  information  and  to  allow  for  monetary 
transactions  to  take  place  across  these  networks. 

TypicallyF  these  protocols  can  be  though  of  as  a  set  of  principals  which  send  messages  to  each  other.  The 
hope  is  that  by  requiring  agents  to  produce  a  sequence  of  messagesF  the  securiV  goals  of  the  protocol  can  be 
achieved.  For  exampleF  if  a  principal^  receives  a  message  encrypted  with  a  key  known  only  by  principals  A 
and  BV  then  principalA  should  be  able  to  conclude  that  the  message  originated  from  principal  B.  HoweverF 
it  would  be  incorrect  to  conclude  that  principal  A  is  talking  to  principal  B.  An  adversary  could  be  replaying 
a  message  overheard  during  a  pervious  conversation  between  A  and  B.  SoF  depending  on  the  securik  goal 
of  this  simple  e.xample  protocolF  the  protocol  m<T  or  may  not  be  secure.  Because  the  reasoning  behind  the 
correctness  of  these  protocols  can  be  subtleF  a  mmber  of  researchers  have  turned  to  formal  methods  to  prove 
protocols  correct. 

In  order  to  concentrate  on  the  security  of  the  protocol  itself  as  opposed  to  the  the  security  of  the 
cryptosystem  tisedFthe  vast  majority  of  research  in  this  area  has  made  the  following  “perfect  encryption” 
assumptions. 

•  The  decryption  key  must  be  known  in  order  to  e^xtract  the  plaintext  from  the  cyphertext. 

•  There  is  enough  redundancy  in  the  cryptosystem  that  a  cyphertext  can  only  be  generated  using  en¬ 
cryption  with  the  appropriate  key.  This  also  implies  that  there  are  no  encryption  collisions.  If  two 
cypher!, exts  are  equalF  they  nust  have  been  generated  from  the  same  plaintext  using  the  same  key. 

While  the  assumptions  are  obviously  not  trueF  they  areF  in  practiceF  rcjisonabltThey  are  important  because 
they  allow  us  to  abstract  away  the  cryptosystem  and  analyze  the  protocol  itself.  In  particularF  if  there  is  an 
attack  on  this  abstracted  protocolF  then  the  same  attafc  exists  when  a  real  cryptosystem  is  used. 


2  Related  Work 

Because  these  protocols  tended  to  be  short  and  not  terribly  complicatedF  informal  argumeiks  were  used  to 
prove  their  correctness.  HoweverF  when  running  in  parallelF  the  behaor  of  these  protocols  is  more  difficult 
to  analyze.  Asynchronous  rx)mposition  is  already  difficult  to  reason  aboutF  and  adding  issues  of  who  kntws 
what  and  when  makes  reasoning  about  security  protocols  extremely  difficult.  One  recent  approach  taken 
by  Bellare  and  Rogaway  and  by  Shoup  and  RubinFis  to  try  to  provide  a  rigorous  mathematical  proof  of 
the  correct, ness  of  a  protocol  [3F21].  They  use  properties  of  pseudo-random  functions  and  mathematical 
arguments  to  prove  that  an  adversary  does  not  have  a  statistical  advantage  when  trying  to  discover  a  key  in 
a  session  key  distribution  protocol. 

One  of  the  earliest  successful  attempts  at  formally  reasoning  about  security  protocols  involved  developing 
a  new  logic  in  which  one  could  express  and  deduce  security  propert,ies.  The  earliest  such  logic  is  commonly 
referred  to  as  the  BAN  logic  and  is  due  to  BurrowsFAbadiFand  Needham  [6].  Their  syntax  provided 
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constructs  for  expressing  intuitive  properties  like  “A  said  XF”  “A  believes  XF”  “K  is  a  good  IcyF”  and  “S  is 
an  authority  on  X.”  They  also  provide  a  set  of  proof  rules  which  can  then  be  used  to  try  to  deduce  security 
properties  like  “A  and  B  believe  K  is  a  good  key”  from  a  list  of  explicit  assumptions  made  about  the  protocol. 
This  formalism  was  successful  in  uncovering  implicit  asstimptions  that  had  been  made  and  weaknesses  in 
a  number  of  protocols.  HoweverF  this  logic  has  been  criticized  for  the  “protocol  idealization”  stop  required 
when  using  this  formalism.  Protocols  in  the  literature  are  typically  given  as  a  sequence  of  messages.  Use 
of  the  BAN  logic  requires  that  the  user  transform  each  message  in  the  protocol  into  formulas  about  that 
messageF  so  thatthe  inferences  can  be  made  within  the  logic.  For  exampleFif  the  server  sends  a  message 
containing  the  key  /Ci?<Fthen  that  step  might  need  to  be  converted  into  a  step  where  the  server  sends  a 
message  containing  A  BT  meaning  that  the  Icy  Kaji  is  a  good  key  for  communication  between  A  and  B. 
An  attempt  to  give  this  logic  a  rigorous  semantics  was  made  by  Abadi  and  Tuttle  [2]  and  other  attempts  to 
improve  or  expand  the  logic  can  be  found  in  [22].  The  BAN  logic  remains  popular  because  of  its  simplicity 
and  high  level  of  abstraction. 

Recent  work  in  the  use  of  modal  logics  for  verifying  security  protocols  includes  the  development  of  a 
logic  that  c.an  express  accountability  [13].  Kailar  convincingly  argues  that  in  applications  such  as  electronic 
commerceF  it  is  accouitability  and  not  belief  that  is  important.  Like  their  counterpart, s  in  the  paper  worldF 
one  would  like  people  to  be  held  accountable  for  their  electronic  transactions.  This  means  that  it  is  not 
enough  for  the  individiial  participants  to  believe  that  a  transaction  is  taking  place.  They  must  be  able 
to  prove  to  a  third  party  that  a  transaction  is  taking  place.  Kailar  provides  a  syntax  which  allows  such 
properties  to  be  expressed  and  a  set  of  proof  rules  for  verifying  them.  Similar  to  the  BAN  logicF Kailar ’s 
accountability  logic  is  at  a  very  high  level  of  abstraction.  StillF  Kailar  is  able  to  use  it  to  analyze  four 
protocols  and  to  find  a  lack  of  accountability  in  a  variant  of  one  of  CMU’s  Internet  Billing  Server  Protocols. 

An  orthogonal  line  of  research  revolves  around  trying  to  automate  the  process  of  verification  when  using 
the^se  logics.  Craigen  and  Saaltink  attempt  this  by  embedding  the  BAN  logic  in  EVES  [7].  The  automation 
re*sulting  from  this  experiment  was  not  satisfact,ory.  By  building  a  forward-chaining  mechanism  and  changing 
some  of  the  riilesF  they  wre  able  to  build  a  system  that  would  try  to  develop  the  entire  theory  of  a  set  of 
axioms  (find  the  closure  of  a  set  of  formulas  under  the  derivation  rules).  Kindred  and  Wing  went  fiirt,her  by 
proposing  a  theory-checker  generator  [14].  They  provide  a  formal  and  well  defined  framework  with  assurances 
about  correctness  and  termination.  In  additionF  their  system  generates  theory  heckers  for  a  variety  of  logics 
including  BANF  AJTLOGF  and  Kailar’s  accouitability  logic. 

The  third  technique  can  be  placed  in  the  general  category  of  model  checking.  The  common  approach 
here  is  to  model  the  protocol  by  defining  a  set  of  states  and  a  set  of  transitions  that  takes  into  account  an 
intruderF  the  messages  comnunicated  back  and  fortliF  and  the  information  kntwn  by  each  of  the  principals. 
This  state  space  can  then  be  traversed  to  check  if  some  particular  state  can  be  re.ached  or  if  some  state 
trace  can  be  generated.  The  first  attempt  at  such  a  formalism  is  due  to  Dolev  and  Yao  [8].  They  develop 
an  algorithm  for  determining  whether  or  not  a  protocol  is  secure  in  their  model.  HoweverF  their  model 
is  extremely  limited.  They  only  consider  secrecy  issuesFand  they  model  only  encryptionF  dccryptioiiRind 
addingF  heckingF  or  deleting  a  principal  name. 

Meadows  used  an  extension  of  the  Dolev- Yao  model  in  her  PROLOG  based  model  checker  [17].  In  her 
systemFthe  user  models  a  protocol  as  a  set  of  rules  that  describe  how  an  intruder  generates  knowledge. 
These  rules  model  both  how  the  intruder  r.an  generate  knowledge  on  its  own  by  applying  encryption  and 
decryptionF  and  h<w  the  intruder  can  generate  new  knowledge  by  receiving  responses  to  messages  it  sends 
to  the  principals  participating  in  the  protocol.  In  additionF  the  user  specifies  rewrite  rules  that  indicate  hew 
words  are  reduced.  TypicallyF  there  are  three  rules  used  to  capture  the  notion  of  equali^  and  the  fact  that 
encryption  and  decryption  are  inverse  functions.  These  rules  are: 

encrypt(XFdecrypt  (XFY))-^  Y 
decrypt(XFencrypt  (XTY))^  Y 
id_check(XFX)->^  ye.s 


To  perform  the  verificationF  the  user  supplies  a  description  of  an  insecure  .state.  The  model  checker  then 
searches  backwards  in  an  attempt  to  find  an  initial  .state.  This  is  accomplished  naturally  in  PROLOG  by 
attempting  to  unify  the  current  state  against  the  right  hand  side  of  a  rule  and  thus  deducing  from  the  left 
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hand  vSidc  what  tho  state  description  for  the  previous  state  must  be.  If  the  initial  state  is  fotmdrthen  the 
system  is  insecurer  otherwise  an  attempt  is  made  to  prore  that  the  insecure  state  is  unreachable  by  showing 
that  any  state  that  leads  to  this  particular  state  is  also  unreachable.  This  kind  of  search  often  leads  to  an 
infinite  trace  where  in  order  for  the  intruder  to  learn  word  AT  it  nust  learn  word  BF  and  in  order  to  learn 
word  BF  it  mist  learn  word  CF  and  so  on.  For  this  renson  a  facility  for  formal  languages  is  included  which 
allows  the  user  to  prove  that  no  word  in  a  set  of  words  (or  language)  can  be  generated  by  the  intruder.  The 
technique  involves  the  following  steps: 

•  Show  that  the  word  in  question  is  in  the  language. 

•  Show  that  knowledge  of  any  word  in  the  language  requires  previous  knowledge  of  another  word  in  the 
language. 

•  Show  that  the  initial  state  does  not  rx>ntain  any  word  in  the  language. 

This  initial  model  checker  was  still  too  limited.  In  particularF  itdid  not  allow  the  modeling  of  freshly 
generated  nonces  or  session  keys.  The  model  checker  evolved  into  the  NRL  Protocol  Analyzer  [18]  which 
allowed  for  these  operations.  In  addition  the  model  changed  to  include  the  states  of  the  participants  as 
well  as  the  state  of  the  intruder  while  still  maintaining  the  old  paradigm  of  unifying  against  the  right  hand 
sides  of  transition  rules  in  order  to  generate  predecessor  states.  HoweverF  if  a^ythingF  the  model  has  become 
more  complexF  and  it  still  suffers  from  the  most  importait  weaknesses  of  the  original  system.  There  is  no 
systematic  way  of  converting  a  protocol  description  into  a  set  of  transition  rules  for  the  NRL  Analyzer.  The 
model  checker  also  relies  heavily  on  the  user  during  the  verification  much  in  the  same  way  a  theorem  prover 
relies  on  tho  user  to  guide  it  dtiring  the  search  for  a  proof.  FinallyF  the  algorithms  used  in  the  NRL  Analyzer 
are  not  guaranteed  to  terminateF  and  so  a  limit  is  placed  on  the  lumber  of  recursive  calls  allowed  for  some 
of  the  model  checking  routines. 

Woo  and  Lam  propose  a  much  more  intuitive  model  for  authentication  protocols  [23].  Their  model 
resembles  sequential  programming  with  each  participating  principal  being  modelled  independently.  There 
is  an  easy  and  obvious  translation  from  the  common  description  of  a  protocol  as  a  set  of  messages  to  their 
model.  Their  models  are  also  more  intuitive  because  they  consider  all  possible  execution  traces  instead  of 
considering  just  the  set  of  words  obtainable  by  the  intruder.  They  are  concerned  with  checking  for  what  they 
call  secrecy  and  cm  correspondence  properties.  The  secrecy  property  is  expressed  as  a  set  of  words  (usually 
keys)  that  the  intruder  is  not  allowed  to  obtain.  The  corrCvSpondence  properties  can  ex;press  things  of  the 
form  if  principal  A  finishes  a  protocol  run  with  principal  BF  then  principal  B  nust  have  started  (participated 
in)  the  protocol  run  with  A.  HoweverFthey  do  not  provide  a  general  lo^c  in  which  to  formalize  security 
propertiesF  nor  do  they  proride  an  automated  tool.  Instead  they  present  a  set  of  inference  rules  with  which 
you  can  prove  correspondence  assertions  about  a  model  [24].  In  additioiiFthe  description  of  their  modelF 
while  intuitiveF  is  not,  wy  precise  or  formal. 

Bolignano  presents  a  model  that  is  almost  a  middle  point  between  these  last  two  [4].  Like  MeadowsF 
Bolignano  emphavsizes  the  algebraic  properties  of  the  intruder  when  trying  to  derive  words.  The  state  of 
the  intruder  then  is  the  set  of  words  it  can  generateF while  the  state  of  the  participants  is  determined  by 
the  values  of  the  variables  that  correspond  to  the  protocol  and  their  program  counters.  A  number  of  rules 
to  reason  about  what  information  is  contained  in  what  messages  are  provided  which  can  then  be  used  to 
prove  properties  about  a  protocol.  In  the  example  givenF  all  propertiesF  including  authctic^itionF  are  gi^n 
in  terms  of  an  invariant  that  must  be  proven.  Ber.atise  the  invariant  must  be  proven  to  hold  for  all  protocol 
stepsF  this  can  become  unvieldy  very  quickly. 

Other  recent  work  in  this  area  has  involved  trying  to  use  generic  verification  tools  to  verify  security 
protocols.  In  [lC]FLowe  uses  the  FDR  model  checker  for  CSP  [12]  to  analyze  the  Needham-Schroeder 
Public-Key  Authentication  Protocol  [19].  Lowe  succeeded  in  finding  a  previously  unpublished  error  in  the 
protocol.  The  fact  that  he  was  able  to  use  a  generic  model  checker  is  promising  as  well.  UnfortunatelyF 
the  CSP  model  for  the  protocol  is  far  from  straightforward.  In  additionF  the  model  is  parameterized  ly  the 
nonces  used  by  the  participants.  This  means  that  it  only  models  a  single  run  of  the  protocol.  In  order  to 
prove  the  general  protocol  correct  he  must  prove  a  theorem  that  states  that  the  general  protocol  is  insecure 
only  if  this  restricted  version  is  insecure. 
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Lodiic  and  others  recently  used  the  LOTOS  language  [5]  and  the  Eucalyptus  tool-box  [9]  to  analyze  the 
Eqtiicrypt  protocol  [15].  What  makes  this  an  interesting  case  study  is  the  fact  that  the  Equicrypt  protocol 
is  a  real  system  currently  under  design  for  use  in  controlling  access  to  multimedia  services  broadcast  on  a 
public  channel.  They  were  able  to  find  a  couple  of  sectirity  flaws  in  this  proposed  system  using  these  generic 
tools. 

Gray  and  McLean  propose  encoding  the  entire  protocol  in  terms  of  temporal  logic  [10].  Much  like  symbolic 
model  checkingF  they  describe  the  model  Iv  giving  formulas  that  express  the  possible  relationships  between 
variable  values  in  the  current  state  and  variable  values  in  the  next  state.  This  makes  their  framework  more 
formal  than  the  othersTbut  much  more  cumbersome  as  well.  They  provide  a  simple  example  and  prove 
a  global  invariant  for  this  example.  The  few  subcases  they  consider  are  very  straightforward  but  their 
technique  demands  very  long  proofs  even  for  the  extremely  simple  example  they  present.  They  argue  that 
their  technique  could  be  automated  but  provide  no  tool  for  their  system. 

Abadi  and  Gordon  propose  the  spi  calculusT  an  extension  of  the  pi  calculus  with  cryptographic  primitivsT 
as  another  model  for  describing  and  analyzing  cryptographic  protocols  [1].  The  spi  calculus  models  commu¬ 
nicating  processes  in  a  way  that  is  very  similar  to  CSP  and  CCS.  The  spi  calculus  provides  constructs  for 
output  on  a  channelT  input  on  a  hannelT  rcstrictionT  compasitionF  testing  for  equaffi  pairs  and  projectionsF 
encryptionF  decryption  and  for  branhing  on  equality  to  zero.  What  sets  the  spi  r.alculus  (and  the  pi  calcu¬ 
lus)  apart  from  other  calculi  is  the  dynamic  nature  of  the  scope  of  restriction.  The  restriction  operator  can 
be  thought  of  as  creating  a  new  name  to  which  only  processes  within  the  scope  of  the  restriction  operator 
can  refer.  HoweverF  one  of  these  processes  could  output  this  new  name  outside  the  scope  of  the  restriction 
operator  allowing  another  process  to  refer  to  it.  In  the  pi  calculusF  these  new  names  can  be  though  of  as 
private  channels.  In  the  spi  calculusFthe  restriction  operator  is  used  to  model  nonce^s  and  keys.  So  farF 
protocol  models  have  been  verified  by  comparing  to  a  sliglitly  altered  model  that  is  “obviously”  correctF  and 
isF  thereforeF  at  the  same  Icnl  of  abstraction  as  the  protocol  model. 

A  more  concrete  and  complete  model  is  presented  by  Heintze  and  Tygar  [11].  They  view  protocols  as  a 
set  of  agents  modeled  as  non-deterministic  finite  state  machines.  The  actions  of  a  principal  who  must  follow 
the  protocol  depend  on  the  local  state  of  that  principal  and  so  are  in  some  sense  restricted.  The  actions  of 
adversaries  are  not  restricted  by  the  protocol  and  hence  they  are  allowed  to  perform  any  actions  consistent 
with  their  current  knowledge.  (In  other  wordsF  they  cannot  send  messages  that  they  cannot  generate  from 
their  current  knowledge).  Their  model  also  includes  a  notion  of  beliefF  whih  along  with  the  sequence  of  sends 
and  receivesF  defines  the  local  state  of  a  principal.  Security  is  then  split  into  secret-security  and  time-security. 

A  model  is  secret-secure  if  all  beliefs  are  universally  valid.  In  particular  if  any  principal  ever  believes  that 
a  message  M  is  only  shared  among  the  principals  in  ST  then  it  is  al^i^ys  the  case  that  if  A  knows  M  then 
A  e  S.  A  model  is  time-secure  if  all  beliefs  eventually  expire.  In  other  wordsFif  h  is  a  belief  held  by  a 
principal  A  at  event  c  then  there  is  an  event  such  that  h  is  not  held  at  any  event  following  The  authors 
go  on  to  prove  that  the  questions  “Is  P  secret-secure?”  and  “Is  P  time-secure?”  are  undecidable.  While  this 
model  does  a  good  job  of  capturing  what  one  means  by  “securityF”  the  model  seems  too  complex  to  be  used 
in  practice. 


3  Intuition 

We  also  propose  a  model  checking  scheme  for  the  verification  of  security  protocols  and  we  make  use  of  the 
same  “perfect  encryption”  assumptions.  We  propose  a  very  intuitive  model  which  captures  the  basic  idea 
of  message  generation  and  communication.  Unlike  other  systemsF where  the  protocol  must  be  encoded  in 
CSP  or  in  term  rewrite  rulesFin  our  mo delF protocol  definitions  are  easily  translated  into  a  sequence  of 
commands  like  SEKD,  REOEiVEFand  NEWNONCE.  In  factFit  seems  clear  that  this  translation  could  even 
be  done  automatically  from  the  simple  notation  used  to  describe  protocols  in  the  literature  as  sequences  of 
messages  that  occur  during  a  run  of  the  protocol. 

Once  we  have  a  sequence  of  actions  for  each  of  the  participants  we  take  their  asynchronous  composition  to 
get  the  full  model  of  the  protocol.  There  is  one  other  unspecified  participant  which  we  call  the  intruder.  The 
intruder  models  an  untrusted  communication  medium  as  well  as  any  malicious  principals.  When  messages 
are  sent  they  can  always  be  intercepted  by  the  intruder.  The  intruder  is  also  allowed  to  send  messages  while 
impersonating  a  trusted  principal.  The  intruder  may  even  be  selected  as  a  participant  in  a  protocol  run. 
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In  additionF  the  iikrndor  will  bo  allowed  to  ooinpromisc  temporary  secretsF  suh  as  session  keysF  wliidi  are 
generated  during  the  run  of  the  protocol  and  are  not  meant  to  be  treated  as  permanent  secrets.  Care  must 
be  takeiiF  iKwevorF  because  it  is  unreasonable  to  allcw  the  intruder  to  compromise  temporary  session  keys 
as  soon  as  they  are  generated.  In  some  senseF  the  participaiks  should  be  allowed  to  make  some  use  of  the 
key  before  it  is  allowed  to  be  compromised. 

A  run  of  the  protocol  will  then  consist  of  some  interleaving  of  actions  from  the  participants  and  the 
intruder.  This  particular  run  or  trace  can  then  be  analyzed  to  determine  if  the  security  of  the  protocol  was 
compromised.  In  partictilar  we  can  check  if  the  intruder  ever  learns  a  secret  which  is  meant  to  be  permanent 
or  if  some  principal  A  believes  it  has  completed  a  run  with  principal  BT  while  principal/?  has  not  participated 
in  the  run.  In  generalFa  set  of  security  requirements  can  be  specified  in  some  kind  of  logic  and  then  the 
trace  can  be  checked  to  see  if  any  of  these  requirements  are  violated.  HowoverF  to  verify  that  a  protocol  is 
correctF  all  the  possible  runs  mist  be  checked. 

We  can  think  of  a  trace  as  an  alternating  sequence  of  global  states  and  actions.  The  global  state  will 
consist  of  the  local  state  of  each  participant  together  with  some  global  information  like  the  set  of  secret 
informationF  and  whih  principals  have  participated  in  which  protocol  runs.  Since  each  principal  has  a  finite 
number  of  actions  it  can  take  at  any  point  in  time  (typic.ally  just  one)rthen  the  number  of  possible  next 
states  is  finite.  If  we  restrict  ourselves  to  a  sufficiently  largeF  but  still  finite  mmber  of  riinsF  then  the  eikire 
state  space  will  be  finite  and  we  can  do  depth-first  search  of  the  state  space  simply  checking  that  no  reachable 
state  violates  the  security  specific^ition. 

4  The  Specification 

There  are  two  kinds  of  properties  that  we  currently  are  interested  in.  The  first  is  a  kind  of  secrecy  property. 
We  provide  the  model  checker  with  a  set  of  terms  which  the  intruder  is  not  allowed  to  obtain.  During  the 
verificationF  w;  simply  check  that  the  intruder  does  not  have  possession  of  any  of  the  terms  in  this  set.  This 
is  not  as  straightforward  as  it  might  seem  because  the  information  known  to  the  intruder  is  typically  infinite. 
For  exampleF  if  the  iitruder  knows  a  piece  of  data  and  a  keyF  it  can  repeatedly  encrypt  this  data  to  produce 
an  infinite  ntimber  of  new  terms. 

The  second  property  is  a  temporal  property  that  Woo  and  Lam  call  correspondence  [23].  In  particularF 
we  are  interested  in  checking  that  “if  principal  A  believes  it  has  finished  a  protocol  run  with  principal  i?F 
then  principal  B  must  have  begun  a  protocol  run  with  principal  A.”  This  can  be  generalized  to  “if  event 
X  occiirsF  then  evint  Y  must  have  occtirred  in  the  past.”  (We  will  use  Woo  and  Lam’s  notation  X  Y 
to  denote  this.)  HoweverF  there  is  more  to  this  proper^  than  a  simple  temporal  relationship.  The  relation 
between  Y  events  and  X  events  must  be  a  one-to-one  mapping.  More  formallyF  the  projection  of  ay  trace 
onto  X  events  and  Y  events  must  be  derivable  from  the  following  grammar: 

S  SxSy\e 

where  the  terminal  symbols  x  and  y  represent  the  events  X  and  Y.  In  particularF  if  principalA  believes  it 
has  completed  two  protocol  runs  with  principal  BT  then  principali?  must  have  at  least  begun  two  protocol 
runs  with  principal  A.  Each  end  of  a  protocol  run  on  A’s  part  mtist  be  mapped  to  a  separate  beginning  of 
a  protocol  run  on  /?’s  part. 

In  order  to  check  for  this  kind  of  propertyFwe  will  augment  the  global  state  with  counters.  For  each 
correspondence  property  A  F  we  will  maintain  a  separate  counter  which  will  keep  track  of  the  difference 
between  the  number  of  Y  events  and  X  events.  If  this  counter  ever  turns  negative  (i.e.  there  are  more 
X  events  than  Y  events)  then  the  correspondence  property  will  be  violated  at  that  point  (there  will  be  no 
one-to-one  mapping  from  X  events  to  Y  events).  ConversolyFas  long  as  the  counter  never  goes  negative 
there  is  always  a  one-to-one  mapping  from  X  events  to  Y  events. 

5  Messages 

TypicallyF  themessages  exchanged  during  the  run  of  a  protocol  are  built  up  using  pairing  and  encryption 
from  smaller  submessages.  The  smallest  such  submessages  (i.e.  they  contain  no  submessages  themselves) 
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arc  called  atomic  messages.  There  are  four  types  of  atomic  messages. 

•  Keys  are  used  to  encrypt  messages.  We  make  the  “perfect,  encryption”  assumptioiiT  which  states 
that  tlie  only  way  to  obtain  the  plaintext  from  an  encrypted  message  is  by  using  the  appropriate 
decryption  key.  Keys  have  the  propert,y  that  every  key  k  has  an  inverse  k-^  such  that  for  all  messages 

=  m.  (Note  that  for  symmetric  cryptography  the  decryption  key  is  the  same  as  the 
encryption  keyF  sok  =  k~^.) 

•  Principal  names  are  used  to  refer  to  the  participants  in  a  protocol. 

•  Nonces  are  randomly  generated  numbers.  The  intuition  is  that  since  they  are  randomly  generatedT  aw 
message  containing  a  nonce  can  be  assumed  to  have  been  generated  after  the  nonce  was  generated.  (It 
is  not  an  “old”  message.) 

•  Data  which  plays  no  role  in  how  the  protocol  works  btit  which  is  intended  to  be  communicated  between 
principals. 


Let  A  denote  the  space  of  atomic  messages.  The  set  of  all  messages  M  over  some  set  of  atomic  messages 
A  is  defined  inductively  as  follows: 

•  \ia  E  A  then  a  ^  M.  (Any  atomic  mes.sage  is  a  message.) 

•  If  mi  e  Af  and  m2  ^  M  then  m\  ■m2  E  M.  (Two  messages  can  be  paired  together  to  form  a  new 
message.) 

•  If  m  G  A1  and  key  k  ^  A  then  {m}^  G  (A  message  M  can  be  encrypted  with  key  k  to  form  a  new 
message.) 

Because  keys  have  inversesTwe  take  this  space  modulo  the  equivalence  {{m}jt}fc-i  =  m.  It  is  also 
import, ant  to  note  that  we  make  the  following  perfect  encryption  assumption.  The  only  way  to  generate 
{m}k  is  from  m  and  k.  In  other  wordsFthere  do  not  exist  messages  m,  mi ,  and  m2  and  key  k  such  thfit 
{m}jfc  =  7711  '  7n2F  and{m}jfc  =  {m^}*/  implies  m  =  m^  and  k  =  k\ 

Let  B  C  M  he,  Si  subset  of  messages.  The  closure  of  D  (denoted  !0)F  represeiking  the  set  of  everjdhing 
that  can  be  derived  from  DT  is  defined  }y  the  following  rules: 

1.  If  m  G  i?  then  m  G  B. 

2.  If  mi  E  B  and  m2  G  B  then  mi  ■  m2  G  B.  (pairing) 

3.  If  mi  ■  m2  G  i?  then  mi  G  B  and  m2  E  B.  (projection) 

4.  If  m  G  B  and  key  kE  B  then  {m}fc  G  B.  (encryption) 

5.  If  G  B  and  key  k^^  E  B  then  m  E  B.  (decryption) 

6  The  Model 

Wo  now  doflno  the  model  formally  by  dnscribing  how  the  overall  global  state  and  the  individnal  prineipal 
local  states  are  defined  as  well  as  by  describing  how  actions  update  the  state.  The  model  consists  of  the 
asynchronous  composition  of  a  set  of  namedF  commmicating  procx^sse^iF  eat  augmented  with  a  local  store 
in  which  to  keep  track  of  the  current  information  it  “knows”  F  and  with  a  set  of  bindings  for  the  Tiriables 
appearing  in  the  procei?s.  Each  principal  involved  in  the  protocol  is  modelled  as  one  of  these  processes  and 
is  described  by  a  sequence  of  actions  it  is  to  perform  and  by  the  initial  state  of  its  local  store.  The  initial 
state  of  the  bindings  is  assumed  to  be  empty.  One  processF  the  iitruderF  is  not  completely  specified.  Only 
the  initial  state  of  its  local  store  is  given  and  it  is  allowed  to  perform  any  “realistic”  actions.  For  exampleF 
the  intruder  is  not  allowed  to  decrypt  messagci?  with  a  key  it  does  not  possess  and  it  is  not  allowed  to  send 
messages  that  it  cannot  create  with  the  information  in  its  local  store.  But  it  is  allowed  to  receive  and  send 
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mcssagos  arbitrarilyF  possibly  iiiorcoptiiig  messages  intended  for  other  principals  or  possibly  impersonating 
a  trusted  principal. 

More  fonnalhT  eah  principal  is  modelled  as  a  4-tuple  {N,p,L  B)T  where: 

•  N  e  names  is  the  name  of  the  principal. 

•  p  is  a  process  (similar  in  style  to  CSP)  given  as  a  sequence  of  actions  to  be  performed. 

•  I  ^  M  is  Si  set  of  all  messages  known  (which  can  be  produced)  by  the  principal.  M  is  the  set  of 
all  possible  messages.  Typically  I  will  be  infinite  and  in  particularFit  is  closed  under  encryptionF 
decryptioiiFpairing  (conc.atenation)Fand  projection.  For  examplcFif  m,k  €  I  then  {m}jfc  6  /.  For 
some  set  of  messages  JT  w  will  use  J  to  denote  the  clasurc  of  J  under  these  operations. 

•  B  :  vars{p)  IT  wherewflr.9(p)  is  the  set  of  variables  appearing  in  the  process  pT  is  a  set  of  bindings. 

The  global  state  is  then  maintained  as  the  composition  of  the  participating  principalsF along  with  the 
intruder  processFa  list  of  permanent  secretsFa  list  of  temporary  secretsFand  a  set  of  counters  indexed 
by  the  pairs  of  principals  participating  in  protocol  runs.  More  formallyFthe  global  state  is  a  5-tuple 
{U,Ci,Cr.Sfi,St)T  where: 

•  n  is  the  product  of  the  the  individual  principals  and  the  intruder  process.  This  product,  is  asyiichronoiisF 
yielding  an  interleaving  semanticsF  with  the  restriction  that  processes  synhronize  on  messages. 

•  Ci  :  names  X  names  ^  N  gives  the  difference  between  the  number  of  times  some  principal  with  name 
A  has  begun  initiating  a  protocol  with  some  other  principal  with  name  B  and  the  number  of  times  B 
has  finished  responding  to  principal  A.  If  a  counter  ever  gets  a  negative  value  this  means  that  B  has 
finished  responding  in  a  protocol  with  A  (i.e.  believes  A  has  participated  in  the  protocol)  without  A 
having  taken  part  in  the  protocol. 

•  Cr  :  names  x  names  N  gives  the  difference  between  the  number  of  times  some  principal  named 
A  has  begun  responding  to  some  other  principal  named  B  and  the  number  of  times  B  has  finished 
initiating  a  protocol  with  A.  If  a  counter  ever  gets  a  negative  value  this  means  that  B  has  finished 
initiating  a  protocol  with  A  (i.e.  believes  A  has  participated  in  the  protocol)  without  A  having  taken 
part  in  the  protocol. 

•  C  jM  is  a  set  of  messages  that  are  arc  considered  safe  secrets.  These  are  the  set  of  words  that 
the  intruder  is  never  allowed  to  know.  This  set  remains  constant  and  usually  includes  things  like  the 
private  keys  that  principals  use  to  communicate  with  a  server. 

•  St  C  M  is  a  set  of  messages  that  are  are  considered  temporary  secrets.  This  is  the  set  of  new  secrets 
generated  during  the  rtin  of  the  protocol.  These  are  secrets  which  we  assume  the  intruder  may  be  able 
to  discover  by  some  outside  meansF  but  whih  the  protocol  should  not  revealF  siih  as  session  keys. 

The  specific  actions  that  a  principal  may  perform  can  be  divided  into  internal  actions  and  communication 
actions.  The  internal  actions  are  performed  asynchronously.  Any  principal  is  allowed  to  perform  an  internal 
action  and  interleaving  is  used  to  model  all  passible  behaviors  when  multiple  principals  can  make  a  transition. 
We  define  a  transition  relation  between  principals  such  that  A  ^  B  if  and  only  if  principal  A  can  take 
an  action  and  become  a  principal  that  behaves  like  B. 

Communic.ation  actions  consist  of  send  and  receive  actions.  Each  receive  action  can  potentially  change 
the  principal’s  local  storeF  reflecting  aw  new  information  it  has  ‘learned.”  Communication  actions  can  only 
occur  in  pairs  and  both  principals  make  a  transition  simultaneously.  These  commtmication  actions  are  also 
interleaved  with  the  possible  actions  of  other  automata. 

In  order  for  a  communication  action  to  take  placeF  the  message  being  seit  must  unify  with  the  message 
being  received.  A  message  s-msg  from  principal  A  =  unifies  with  a  message  r-msg  from 

principal  B  =  (/?,(/,  JB,i?B)F  if  there  exist  a  substitution's  :  vars{q)  I  a  extending  Bb  [Bb  ^  ^^b)F  snh 
that  BA{fi-nisg)  =  a b (r-msg).  If  the  messages  unifyF  then  the  follcwing  transitions  can  be  taken: 
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{A,  SEND(,9-m.‘?p)  .y ,  I  A ,  Ba) 
{B,  l{ECElVE{r-Tnsgf).(/jB,BB) 


{A,p\Ia,Ba) 


whoro  7^  =  7b  U  aB  {r-msg) .  Bocauso  wo  require  that  s-msg  unify  with  r-msgT  if  there  is  already  a  pair  (;arr 
val)  in  B  for  some  var  appearing  in  r-m.9prthen  the  eorresponding  value  in  s-msg  must  be  val  Thus  the 
updates  to  B  only  add  new  bindings  and  never  change  previous  bindings. 

For  tlie  most  part  internal  actions  are  used  to  create  or  discover  new  information.  For  examploF 
NEWNONOE  is  used  to  create  a  nonce.  Nonces  are  globally  distinctFand  each  KEWNONCE  action  creates 
a  nonce  that  has  not  appeared  up  to  that  point  in  the  protocol.  The  new  nonce  is  added  to  the  principal’s 
local  store.  Newsecret  works  similarlyF  except  that  this  is  supposed  to  model  generating  a  now  session  Icy 
which  can  then  be  used  to  encrypt  messages.  More  formally: 

(^,KEWNONCE(iMr).y,  7,  B)  {A,p',  7^  B') 

(A,  NEWSECRET(wflr)  ,p\  7,  B)  (Ap\  I\B’) 


where  in  both  casesF  lival  is  the  new  value  generated  by  the  actionF  then7^  =  7  U  val  and  B*  —  B\var  <—  vaf\. 
If  the  action  was  a  newseoret  actionF  then  tho5t  is  updated  in  the  global  state  as  well  to  5*  =  S*  U  val 
AdditionallyF  the  iitruder  is  allowed  to  perform  a  GET  SECRET  action  which  it  can  use  to  acquire  a  secret 
previously  generated  by  a  principal  using  NEWSECRET.  This  models  the  possibility  of  session  keys  being 
compromised.  It  allows  us  to  have  two  classes  of  secretsF  those  whih  we  assume  to  be  ‘‘permanent”  like  a 
private  key  between  a  server  and  a  trusted  principalF  and  those  secrets  whih  are  “temporary”  such  as  session 
keys.  We  need  to  allow  the  intruder  to  obtain  session  keys  in  order  to  allow  for  the  possibility  of  replay 
attacks  which  would  allow  the  intnider  to  OAStablish  an  old  compromised  key  as  a  session  key.  HoweverF  w 
also  need  to  restrict  the  the  usage  of  GETSECRET  or  else  the  intruder  would  be  allowed  to  compromise  a 
se^ssion  key  immediately  after  it  is  generated  and  before  it  is  ever  used.  For  this  reasonF  w  only  allow  the 
intruder  to  perform  a  GETSECRET  action  to  compromise  a  key  which  has  already  been  established  or  used 
in  a  protocol.  FormallyF 


{Z,  GETSECRET, p\  I,  B)  ->  {Z,p\I\B) 


where  for  some  val  e  St,  P  I  U  val  and  in  the  global  state  St  is  updated  to  St  =  St- {val}, 

FinallyF  w  have  four  special  actions  BEGINITFekdinitFbegrespok’dF  andENDRESPOND.  These  are  used 
to  mark  the  beginning  and  the  end  of  a  principal’s  participation  in  a  protocol.  We  use  them  to  guarantee 
that  if  the  principal  named  A  finishes  the  protocol  (performs  ekdinit(B))  then  the  principal  named  B  has 
participated  in  the  protocol  (performed  begrespokd(A)).  We  do  this  by  maintaining  counters  for  each  pair 
of  principals  participating  in  a  protocol.  More  formallyF 


{A,begikit(B).p',/^,Z?^)  {A,p',Ia,Ba) 


and  we  update  the  global  state  by  setting  the  new  value  of  Ci{A,  B): 

a 

SimilarlyF 


m  ^  /  Oi{A,B)  +  1  if  Ci{A,B)  is  defined 
J  —  “I  ^  otherwise 


{B ,  ENDRESP OND (A),p' ,  Ib,  Bb)  “>  (B,p',Ib,Bb) 
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and  wn  update  tho  global  state  by  setting  the  new  value 

CKA^)  =  | 

^  1^  error 


oiCiiADy. 

1  if(7i(A,i?)>0 
otherwise 


The  definitions  for  begrespokd  and  endinit  are  identical  except  that  Cr  is  updated  in  the  global  state 
instead  of  Ci. 

The  GETSECRET  action  may  only  be  performed  by  the  intruderTwhile  the  rest  of  the  actions  may  be 
performed  by  any  principal.  The  actions  a  particular  honest  principal  may  make  are  restricted  to  the  sequence 
of  actions  p  that  represent  its  role  in  the  protocol.  The  intruder  has  no  such  restriction  and  is  allowed  to 
make  any  actiem  at  any  timerprovided  that  if  it  performs  a  SEN'D  action  with  message  mT it  iniust  be  the 
case  that  m  E  Iz‘ 

Rec.all  that  a  trace  is  an  alternating  sequence  of  global  states  and  actions  and  that  we  are  interested  in 
checking  all  possible  traces.  ClearlyF  there  are  a  finite  lumber  of  next  states  for  each  of  the  participants.  In 
additionT  while  the  iitruder  can  generate  an  infinite  number  of  messagesT  it  is  only  all(wed  to  send  a  finite 
number  bec.ause  each  SEKD  much  match  with  a  receive.  Since  the  there  are  a  finite  number  of  passible 
next  statesT  w  only  consider  a  finite  number  of  runsT  w  can  perform  a  depth  first  search  of  the  state  space 
to  generate  all  possible  traces.  We  then  check  that  no  re.achable  state  violates  the  security  specification. 
Pseudocode  for  this  algorithm  can  bo  found  in  figure  1. 


proc  DFS  {global-state) 
push{glo  bal-statelS) 
while  (not  empty{S))  do 

{n,Ci,Cr.s.,St)=pop{S) 

if  Ci(x^y)  <  0  for  some  x  and  y  or 

Cr{x,  y)  <0  for  some  x  and  y  or 
.9  €  Iz  for  some  s  e  S,,-  U  St 

/*  inhere  Iz  is  the  intrnder\'i  information  in  II .  */ 
then  report-error 
L  =  next.-states{{U,Ci,Cr,S,,St)) 
for  each  I  E  L  push{Si  1) 


Figure  1:  Model-checking  algorithm 

The  remaining  detail  is  how  to  maintain  the  local  stores  for  the  principals.  The  loc.al  store  is  accessed  in 
three  places.  FirstT  if  principal(A,pj  I  a,  Ba)  sends  a  message  mV  then  w  must  insure  that  mE  Ia-  SecondF 
if  the  principal  receives  me^ssage  mF  then  w  must  update  I  a  to  7^  =  7^  U  m.  FinallyF  w;  check  every  global 
state  to  see  if  .9  E  Iz  for  some  .9  6  U  5tF  where7^  is  the  intruder’s  local  store.  It  turns  that  these  local 
stores  are  infinite  because  of  the  closure  operation.  HoweverFwe  never  really  need  to  compute  the  entire 
closure;  we  need  only  determine  if  a  particular  message  is  in  the  closure.  So  it  suffices  to  represent  the 
infinite  set  with  a  finite  set  of  “generators.”  This  is  the  topic  of  the  next  section. 


7  Normalized  Derivations 

Intuitively  speakingF  IW  repro^sents  some  set  of  ii^ormation  thaUs  known  by  a  principalF  then  the  principal 
also  knows  (can  generate)  all  the  information  in  i?.  In  general  D  is  an  infinite  set;  howeverF  w  usually  are 
not  interested  in  the  set  of  everything  that  a  principal  knowsF  but  instead  whether  or  not  a  specific  message 
X  E  M.  can  ^  generated  by  a  principal.  This  leads  us  to  the  following  definition. 

Let  X  E  B  he  a  message.  A  derivation  of  x  from  B  is  an  alternating  sequence  of  sets  of  messages  and 
rule  instances  written  as  follows: 

i?o  ^  7?i  ^  •  Bk~i  Bk 

where: 
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B  =  Bo 


•  Each  nilo  instance  Ri  is  written  as  (/j,  Oj)  where: 

-  he  Bi 

-  Bi+i  =BiUOi 

-  Ni  is  one  of  the  closure  rules  for  B  such  that  h  satisfies  the  premise  of  the  rule  and  Oi  is  the 
corresponding  conclusion. 

For  exampleF  letB  =  k~^}.  We  derive  x  =  r/  •  &  as  follows: 

1.  Bo  =  B  =  {{a}k  h,k-^} 

2.  R^  =  {{{a}k’h},Z,{W}kM) 

3.  i?i={{4fc 

4.  Ri  =  {{{a}k,k-^}roAo}) 

5.  B2  =  {{a}k-h,k-^,{a}k,h,a} 

C.  i22  =  ({a,?)},2,{a-fe}) 

7.  =  {{a}fc  •  hi  k~^i  {«}jfc5  a,  a  •  h}  which  contains  x 

We  would  now  like  to  introduce  the  notion  of  a  normalizeA  derivaUoriThnt  first  we  must  introduce  the 
notion  of  shrinking  rules  and  expanding  rides  by  defining  a  metric  /i  :  M  N.  We  then  define  a  shrinking 
nde  to  be  a  rule  such  that  for  every  instance  of  the  rule  (7,  AT,  0)  we  have: 

max  /i(m)  >  max  /i(m) 

m^/  rn£0 

AnalogouslyF  h.i\expanding  nde  is  a  rule  for  which  every  instance  (7,  0)  we  have: 

max  /z(m)  <  min  /x(m) 

rn^T  rn^O 

We  c.an  now  define  a  normalized  derivation  as  follows: 

Bk 

is  a  normalized  derivation  if  and  only  if  for  all  0  <  /’  <  k^Ni  is  an  expanding  rule  implies  Nj  is  an  expanding 
rule  for  all  i  <  j  <  k.  In  other  wordsF  all  shrinking  rules  appear  to  the  left  of  all  expanding  rules.  Recall 
that  in  our  iiotationFiJi  is  the  rule  instance 

For  exampleF  in  our  modelF  wwill  define  our  metric  /x  inductively  as  follows; 

•  /x(a)  =  1  for  all  a  €  A 

•  /x(mi  •  m2)  =  /x(mi)  +  /x(m2) 

•  /x({m}fc)  =  /x(m)  +  1 

Note  that  ii{m)  is  well  defined  when  m  =  {mi};^^  =  {m2}*:2r  bec.ause  the  perfect  encryption  assumption 
implies  that  mi  =  m2  and  ki  =  ^2-  fix  the  case  m  =  mi  •  m2  =  m\  •  m4  either  mi  is  a  substring  of  mi  or 
mi  is  a  substring  of  mi .  Without  loss  of  generalityF  assumemi  =  mi  ■  h.  Then  it  must  be  the  case  that 
m4  =  b'7n2  because  we  have  m  =  m,i  ■  m2  =  mi  •  h  •  m2  =  mi  •  Therefore 

/x(m)  =  /x(mi  •  m2)  =  /x{mi  •  h  •  7x12)  =  /x(mi  •  m^). 
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Tho  mossago  derivation  rules  from  section  /refsectimessages  can  now  be  categorized.  With  these  definitionsF 
rules  3  and  5  are  shrinking  rules  and  rulers  2  and  4  are  coepanding  rules. 

We  now  show  that  in  our  modelFthere  is  a  derivation  of  x  from  B  if  and  only  if  there  is  a  normalized 
derivation  of  x  from  B.  First  we  need  the  following  lemma. 

Lemma  1:  Let  B^^  B\^  be  a  derivation  of  length  2  stich  that  A^o  is  expanding  rule  and  A^i  is  a 
shrinking  rule.  There  there  exists  a  derivation  i?o  ^  ^  B^j^  such  that 

1.  ATj, . . . ,  A^it-i  expanding  rules. 

2.  i?o  = 

3.  i?2  C 
Proof: 

Case  A^o  =  2  and  A’l  =  3: 

Lot  Ro  =  ({mi ,  m2},  2,  {mi  •  m2})  and  R\  =  ({m^  •  m^},  3,  {m^ ,  m^}) 


Case  I:  m^  ■  m^  7^  m,i  ■  m2  or  mj  •  m^  £  i?o 

In  either  caseFmi  •  m2  €  i^oF  and  the  new  dermtion  is 

^  Ri 

R!i  =  R^ 

It  is  clear  that  i?2  = 

Case  II:  m{  ■  m^  =  mi  •  m2  and  m^  •  m^  ^  i?o 

If  we  also  have  =  mi  and  m^  =  m2F  thenm^^ ,  m^  £  ^  •  Therefore  B2  =  Bi  and  we  let  the 

new  derivation  consist  only  of 

OtherwiseFwe  must  have  that  either  mi  is  a  substring  of  m[  or  7n[  is  a  substring  of  m,i.  Without 
loss  of  generalityF  assumemi  =  7n[  •  b.  Then  it  must  be  the  case  that  m^  =  ft  ■  m2  because  we  have 
rn  =  m,i  •  m2  =  mj  •  ft  •  m2  =  mJ  •  m^ .  Then  the  new  derivation  becomes: 

K  = 

=  ({mi, m2}, 2, {mi  •m2}) 

And  we  have  that 

Bi^  =  BoU  {mj,  ft}  U  {m^}  U  {mi  •  m2}  =  B2U  {ft} 

Case  A^o  =  2  and  A^i  =  5: 

Let  Ro  =  ({mi j ’m2}, 2, {mi  ‘m2})  and  Ri  =  ({{m.}jt,^“^},5, {rn}) 

One  of  our  assumptions  about  encryption  is  that  given  mF  the  only  wiy  to  generate  {m}jt  is  by  knowing  m 
and  k  and  using  the  encryption  algorithm.  Therefore  there  are  no  mi  and  m,2  such  that  mi  •  m2  =  {m}*. 
SoF  in  this  casel{m}fc  £  and  the  new  derivation  becomes 

=  Ri 

R[  =  Ro 

It  is  clear  that  B2  =  i?2* 
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Case  A^o  =  4  and  =3: 

Lot  Ro  =  ({m,A;},4,{{m}fc})  and  Ri  =  {{mi  •  m2}, 3, {mi, m2}) 

AgainF  since  w  c^n’t  have  mi  •m2  =  {m}jfcr  must  have  that  mi  •m2  €  l?o  and  the  new  derivation  becomes 

K  =  Ri 
R[  =  i?o 

Againri?2  =  -^2- 

Case  No  =  4  and  A^i  =  5: 

Let  Ro  =  ({m,fc},4,{{m.}jt})  and  Ri  =  {{{m'}^/, A:^“^},o,  {m'}) 

Case  I;  {m^}jfe/  =  {m}* 

In  this  caseF  w  also  have  rn/  =  m  and  fc'  =  kT  thereforei?i  =  B2  and  so  the  new  derivation  is: 

Hi  =  i?o 

ClearlyFHi  =  Bi  =  i?2. 

Case  II:  {m^}jt^  ^  {jTi}* 

It  must  be  the  case  that  {m^}*/  e  Bq  so  the  following  is  a  valid  derivation: 


Hi  =  Hi 

R[  =  Ho 


It  is  clear  that  i?2  =  H2. 


Theorem  2:  Let  H  C  Af  be  a  set  of  messages.  Then  x  e  B  if  and  only  if  x  has  a  normalized  derivation 
from  B. 

Proof:  If  X  has  a  normalized  derivation  from  B  then  clearly  this  is  a  derivation  and  by  definition  x  e  B. 

For  the  other  direct, ionF  lets;  €  H.  Then  there  o.xists  some  derivation 

T  =  Bt 

such  that  X  €  Bk.  Let  S  =  {?’|H*  is  a  shrinking  rule  and  3j  <  i  such  that  Rj  is  an  expanding  rule  }.  If  H  is 
emptyF  then  F  is  a  normalized  dermtion  and  we  are  done.  OtherwiseF  w  can  induct  on  the  size  of  5.  Let 
r  =  min  S'.  By  repetitively  using  Lemma  IF  w  can  move  Rj.  to  the  leftF  uitil  either  it  is  the  leftmost  ruleF  or 
it  is  immediately  to  the  right  of  another  shrinking  rule.  Since  the  original  derivation  is  finite  and  since  each 
time  we  apply  Lemma  IF  rtdeH^.  moves  one  slot  to  the  leftF  w  need  apply  Lemma  1  only  a  finite  number  of 
times.  If  Rr  becomes  the  leftmost  ruleF  then  clearly  there  are  no  expanding  rules  to  the  left  ofii,..  If  Rr  is 
now  immediately  to  the  right  of  another  shrinking  rule  -R^F  then  there  are  still  no  expanding  rules  to  the  left 
of  Rj.  because  then  there  would  be  an  expanding  rule  to  the  left  of  in  the  original  derivation  and  so  ,s  e  S' 
and  s  <  r  contradicting  the  minimality  of  r.  Now  we  have  a  new  derivation  of  .^FFTwhich  is  still  finite. 
Since  the  application  of  Lemma  1  does  not  add  any  new  shrinking  nile.sFS'T  the  newS'F  satisfiesS^^  =  5  — {r}. 
Flirt, hermore  |S'^|  =  |5|  —  IF  so  ty  the  inductive  hypothesis  we  c.an  transform  F^  into  a  normalized  derivation 
of  X. 

Corollary  3:  Given  x  e  At  jind  B  C  MF  determining  ifa;  e  B  is  decidable. 

Proof:  By  Theorem  2F.'K  e  H  if  and  only  if  x  has  a  normalized  derivation  from  B.  We  therefore  try  to 
find  a  normalized  derivation  or  show  that  none  exists.  First  we  repeatedly  apply  shrinking  rules  to  B  =  Bo 
creating  new  sets  Bi.  Since  there  are  a  finite  number  of  rulesF  eah  rule  creates  a  finite  number  of  new  wordsF 
each  smaller  (by  the  metric  (i)  than  each  of  the  words  used  as  an  input  to  the  ruleF  andi?o  is  finite  to  beginF 
there  are  only  a  finite  number  of  Bi's  and  hence  we  only  apply  shrinking  rules  a  finite  number  of  times.  Let 
us  call  this  final  set  Since  is  the  result  of  repeatedly  applying  all  possible  shrinking  rules  to  i?F:j;  has 
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a  normalizod  dorivcition  from  D  if  and  only  if  it  has  a  derivation  from  D,,  which  uses  only  expanding  rulers. 
Furthermorer  the  length  of  a  minimal  derivition  of  x  from  is  bounded  by  /z(rr)  since  each  expanding  rule 
creates  a  words  that  are  longer  than  the  words  used  as  inputs  to  the  rule.  Since  there  are  a  finite  number  of 
expanding  rules  and  is  itself  finiteF  wi  c^n  simply  try  all  possible  sequences  of  expanding  rules  of  length 
le*ss  than  or  equal  to  //(a;)  in  a  finite  number  of  steps.  ThereforeFthis  whole  algorithm  is  guaranteed  to 
terminate. 

In  the  proof  of  Lemma  IFthe  majority  of  cases  displayed  a  kind  of  independence  of  rules.  IntuitivelyF 
independence  means  that  applying  one  rule  does  not  increase  the  set  of  things  that  cjm  be  derived  using 
the  other  rule.  More  formallyFa  shrinking  rule  s  is  independent  of  an  expanding  rule  e  if  for  each  pair  of 
instances  (4,.9,0«)  and  we  have  one  of  the  following: 

1.  0«  n  /«  =  0:  The  output  of  the  expanding  rule  cannot  be  used  as  input  to  the  shrinking  rule.  This  is 
the  case  for  pairing  and  decryption  and  for  encryption  and  projection. 

2.  0#  C  7^:  The  information  gained  by  applying  the  shrinking  rule  was  already  present  when  applying 
the  expanding  rule.  This  could  bo  the  case  when  for  encryption  and  decryption  using  the  same  key. 

Note  that  this  property  applied  to  almast  all  cases  of  Lemma  1  and  that  the  only  real  work  in  proving 
Lemma  1  came  from  the  case  of  the  pairing  rule  and  projection  rule  becmise  these  are  not  independent. 
The  other  pairs  of  rules  were  independent  because  of  the  “perfect  encryption  assumption.”  In  generalF  this 
exchanging  property  (Lemma  1)  need  only  be  shown  for  pairs  of  rules  that  are  not  independent. 

8  Information  Algorithms 

While  Corollary  3  proves  the  decidability  of  determining  if  x  G  7?F  it  is  an  extremely  inefficieit  algorithm. 
In  particularF  emmerating  all  sequences  of  expanding  rules  of  length  ii{x)  will  yield  exponential  complexity. 
In  practice  lioweverF  w  can  search  for  a  derivation  of  x  from  7?^.  by  using  the  structure  of  x,  SpecificallyF  w 
have  the  following  theorems: 

Theorem  4:  mi  ■  m2  €  ^Jf  and  only  if  mi  ■  m2  G  or  mi  G  ^  and  m2  G 

Proof:  Assume  mi  ♦  m2  G  7?^  and  mi  •m2  0  /?«F  thenmi  •  m2  must  be  in  Bfi  because  of  an  expanding 
rule.  By  assumptionFmi  •  m2  ^  To  show  that  mi  •  m2  G  ^  c.an  be  derived  from  without  using  a 
shrinking  rule  we  take  a  derivation  of  mi  ■  m2  G  B^T  FEind  use  theorem  2  to  get  a  normalized  derivation 
F^  Now  either  the  shrinking  rules  appearing  in  F^  are  redundant  (i.e.  they  don’t  add  any  new  words  and  so 
can  be  removed  from  the  derivation)  or  we  contradict  the  fact  that  7?«  was  cremated  by  applying  all  passible 
shrinking  rules  to  7?.  In  either  case  the  remainder  of  the  derivation  (and  there  must  be  some  remainder 
since  we  assume  that  mi  •  m2  0  B^)  must  consist  of  expanding  rules.  In  particular  the  last  rule  used  in  the 
derivation  must  be  an  expanding  rule  and  the  only  way  that  could  be  the  case  is  if  it  is  rule  2  which  would 
require  as  its  premise  mi  G  B^  and  m2  G  7?^. 

Now  assume  that  mi  •  m2  G  or  mi  G  ^  and  m2  G  Then  it  is  clear  by  either  rule  1  or  rule  2  that 
m,i  •  m2  e  Bff.  _ 

Theorem  5:  {m}^  G  B„  if  and  only  if  {m}*  G  B^  or  m  G  ^  and  k  G 

Proof:  Analogous  to  the  previous  theorem. 

Flitting  all  these  together  yields  the  basis  for  our  search  algorithm.  As  our  set  of  known  messages 
increasesFwe  repeatedly  apply  shrinking  rules  and  removing  “redundant  messages”  until  we  get  a  set  of 
“basic”  messagesF7?«Fto  which  we  cannot  apply  any  shrinking  rules.  By  redundant  messagesFwe  mean 
messages  that  can  be  generated  from  the  other  messages  in  the  set  using  expanding  rules.  For  exampleF 
when  we  apply  rule  3  to  get  mi  and  m2  from  mi  •  m2Fwe  also  remove  mi  •  m2  from  Z?«.  HoweverF  when 
applying  rule  5  we  must  be  careful;  when  we  generate  m  from  {m}*  and  we  cannot  remove  {m}jt  from 
7?«  unless  k  £  Bh.  Pseudocode  for  this  algorithm  is  given  in  figure  2. 

We  now  consider  the  complexity  of  inserting  a  new  mevSsage  m  into  our  current  set  of  information  B^ 
and  generate  a  new  set  of  information  B’^ .  The  only  time  there  is  any  interaction  between  previously  known 
messages  in  Bf^  and  m  is  when  we  try  to  apply  the  decryption  rule.  The  message  m  can  have  at  most 
|m|  encryptions.  For  each  encryptioiiFwe  scan  looking  for  the  inverse  key  for  a  total  of  |f?/,||m|  time. 
AnalogoiislyFm  could  contain  at  most  |m|  keys.  For  each  keyF  w  must  check  each  element  of  B„  to  see  if  it 
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1  function  add  (/ ,  m ) 

2  for  each  ?'  6  / 

3  if  7  =  {x}y  and  =  m 

4  then  7  =  add(J,aj) 

5  if  7/  €  7  then  I  ^  I  ~i 

6  if  m  =  .17  •  7/ 

7  then  return  add(add(7,3;)F/) 

8  if  771  =  {x}y  and  y~^  6  7 

9  then  if  7/  €  7 

1 0  then  return  add  (7 ,  .t:) 

1 1  else  return  add  (7  U  m,  a?) 

12  return  7  U  tti 


Figure  2:  Augmenting  the  intruder\s  knowledge 

can  now  be  decrypted.  AgainF  this  talcs  at  most  time.  HoweverF  the  newly  decrypted  message  could 

again  bo  decrypted.  The  number  of  iterations  is  bounded  by  17?«|;  thereforeF  the  total  time  to  generate7?^.F 
is  bounded  by  and  the  size  of  is  bounded  by  0(|7?sp). 

We  know  that  any  words  in  B^  can  be  derived  using  only  expanding  rules.  When  we  se^irch  to  see  if 
a  word  w  is  knownF  w  can  use  theorems  4  and  5  to  bre.ak  it  down  into  smaller  pieces  which  can  then  be 
searched  rectirsively.  For  exampleF  if?/;  0  7?«  and  w  =  {77i}jtFthen  theorem  5  tells  us  that  ?/;  e  B^  only  if 
m  €  Bff  and  k  e  B^.  Pseudocode  for  this  algorithm  is  given  in  figure  3. 


1  function  in(7jm) 

2  if  m  G  7 

3  then  return  true 

4  if  m  =  X  •  y 

5  then  return  in(7,  x)  and  in(7,  y) 

6  if  771  =  {x)y 

7  then  return  in(7j  x)  and  in(7,  ?/) 

8  return  false 


Figure  3:  Searching  the  intruder’s  knowledge 

When  searching  for  a  derivation  of  w  from  B^  we  first  check  to  see  if  ?/;  G  7?«.  This  costs  at  most  B^ 
time.  If  notF  w  break  down  w  into  two  smaller  pieces  and  recursively  check  those  peices.  The  total  number 
of  recursive  calls  is  bounded  by  the  number  of  operations  making  up  7/;F which  is  in  turn  bounded  by  |7/;|. 
Thus  the  total  time  to  check  if  w  G  B^  is  bounded  by  0(|i?A  ||7/;|). 

9  Verification  Example 

We  now  consider  an  eocample  to  illustrate  how  the  model  checker  works.  We  consider  the  simplified  Needham- 
Schroeder  protocol  analyzed  by  Lowe  [IG]  given  below: 

1.  A  ^  7?  :  A.B,{NaA}Ku 
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2.  D^A:DA.{Na,N,?^K^ 

3.  A^B:A.B.{N,,}ku 

Horn  A  is  the  initiator  and  B  is  tho  responder.  A  selects  a  nonce  Na  and  sends  it  along  with  its  name 
encrypted  with  i?’s  public  key  to  i?.  B  uses  its  private  key  to  decrypt  this  message  and  obtain  Na>  Now 
B  generates  its  own  nonce  Nj,  and  sends  it  along  with  N,i  encrypted  with  j4’s  ptiblic  key  to  A  uses  its 
private  key  to  decrypt  this  message  and  returns  Ni  to  B  encrypted  with  i?’s  public  key.  B  then  uses  its 
private  key  to  verify  that  it  has  just  received  tlie  nonce  sent  earlier. 

In  order  to  use  our  model  checkerF  w  first  isolate  which  actions  are  performed  by  A  and  which  actions 
are  performed  by  B.  We  then  write  a  short  sequence  of  actions  which  make  up  each  participant’s  role  in 
the  protocol.  The  process  description  for  principal  A  can  be  found  in  figure  4.  The  description  for  principal 
B  is  similar.  All  that  remains  is  to  specify  the  initial  state  of  each  principal’s  local  store.  Each  principalF 
including  the  intruderF knows  the  names  of  all  three  principals.  Each  principal  also  knows  the  public  key 
of  each  of  the  three  principals.  FinallyF  eat  principal  knows  it’s  own  private  key.  Figure  5  lists  the  initial 
contents  of  the  intruder’s  local  store  which  consists  of  the  names  of  the  three  principalsF  all  three  public  leys 
and  it’s  own  private  key. 


( (beginit  C+p-vax*  b) ) 

(newnonce  (*var*  na)) 

(send  (*var*  b) 

(concat  a 

(♦veu:*  b) 

(encrypt  (pubkey  (*var*  b))  (concat  (*var*  na)  a)))) 
(receive  (*var*  b) 

(concat  (*var*  b) 
a 

(encrypt  (pubkey  a)  (concat  (*var*  na)  (*var*  nb))))) 

(send  (*var*  b) 

(concat  a 

(*var*  b) 

(encrypt  (pubkey  (*var*  b))  (♦var*  nb)))) 

(endinit  (♦var*  b))) 


Figure  4:  Process  description  for  the  initiator 


(a  b  * intruder*  (pubkey  a)  (pubkey  b) 
(pubkey  *intruder*)  (privkey  *intruder*)) 


Figure  5:  The  intruder’s  initial  knowledge 

The  result  of  the  verification  attempt  can  be  found  in  figure  C.  In  just  a  few  secondsF  the  model  hecker 
finds  a  violation  of  the  security  specific.ation  and  generates  a  counter-example.  Figure  7  provides  an  easier  to 
read  description  of  the  attack.  The  sequenm  of  messages  for  two  runs  of  the  protocol  (a  and  /?)  are  provided. 
The  notation  I  (A)  is  meant  to  convey  either  I  impersonating  A  if  on  the  left  of  the  arrowF  or/  intercepting 
a  message  meant  for  A  if  on  the  right  of  the  arrow. 

If  we  examine  the  counter-example  we  mn  see  what  has  happened.  A  initiates  a  protocol  run  with  the 
intruder.  The  intruder  initiates  a  protocol  run  with  B  impersonating  A  and  using  the  same  nonce  that  A 
tised  with  the  intruder.  When  B  respondsF  the  iilruder  forwards  this  me*ssage  to  A.  This  moASsage  has  the 
format  that  A  is  expectingF  namely  its  (wn  nonce  and  a  new  nonce  encrypted  with  A’s  public  key.  A  then 
replies  back  to  the  intruder  with  /?’s  nonce  encrypted  with  the  intruder’s  public  key.  The  intruder  can  use 
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its  private  key  to  decrypt  this  and  it  can  now  return  i?’s  nonce  encrypted  with  i?’s  public  key.  Wlien  B 
receives  this  messagcF  the  protocol  run  is  complete  andB  believes  it  has  finished  a  protocol  run  with  A  while 
A  does  not  have  the  corresponding  belief  that  it  has  initiated  a  protocol  run  with  B. 

The  above  analysis  is  mast  easily  seen  in  figure  7  by  observing  the  following  relationship  between  the  a 
run  and  the  0  run; 

•  The  role  of  A  in  a  is  played  by  I  in  0. 

•  The  role  of  I  in  a  is  played  by  B  in  0. 

•  Each  message  in  0  can  be  obtained  from  the  corresponding  message  in  a  by  replacing  every  occurance 
of  I  with  B. 

ThereforeF  tho/3  run  is  identical  to  the  a  run  except  that  B  plays  the  role  of  the  responder  and  I  impersonating 
A  has  played  the  role  of  the  initiator. 


'’Lack  of  correspondence" 

(B  (BEGRESPOND  A)) 

(A  (BEGINIT  +INTRUDER*)) 

(A  ((NEWNQNCE  C+VAR*  NA))  C+NONCE*  245))) 

(A 

(CQNCAT  A  ♦INTRUDER* 

(ENCRYPT  (PUBKEY  *INTRUDER*)  (CQNCAT  (♦NONCE*  245)  A))) 

INTRUDER) 

(INTRUDER  (CQNCAT  A  B  (ENCRYPT  (PUBKEY  B)  (CQNCAT  (*N0NCE*  245)  A)))  B) 
(B  ((NEWNQNCE  (*VAR*  NB))  (*N0NCE*  260))) 

(B 

(CQNCAT  B  A  (ENCRYPT  (PUBKEY  A)  (CQNCAT  (*N0NCE*  245)  (*N0NCE*  260)))) 
INTRUDER) 

(INTRUDER 

(CQNCAT  ♦INTRUDER*  A 

(ENCRYPT  (PUBKEY  A)  (CQNCAT  (*NQNCE*  245)  (*NQNCE*  260)))) 

A) 

(A  (CQNCAT  A  *INTRUDER*  (ENCRYPT  (PUBKEY  *INTRUDER*)  (*N0NCE*  260))) 
INTRUDER) 

(A  (ENDINIT  ^INTRUDER*)) 

(INTRUDER  (CQNCAT  A  B  (ENCRYPT  (PUBKEY  B)  (*N0NCE*  260)))  B) 


Figure  G:  Verification  Result 
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B 
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B 

A.D.{N,.}k, 

Figure  7:  Attack  on  Needham-Schroeder  Protocol 

Lowe  suggests  fixing  the  protocol  by  changing  the  second  message  so  that  the  new  protocol  is  as  follows: 

1.  A^B:A.B.{N,,.A}Kn 


IG 


2.  B-^A  :BA.{Na.N,.D}K^ 

3.  A^B:  A,B.{N,}Kn 

When  we  try  to  verify  this  protoeoir  life  LoweF  w,  find  no  attack  in  a  single  run  of  the  protocol.  Decanse 
no  attack  was  foiindrthe  entire  exhanstive  search  of  the  state  space  is  performed  and  so  the  verification 
process  takes  a  bit  longerF  but  it  still  completed  in  under  a  minite. 


10  Conclusion 

Our  model  checker  provides  a  number  of  advantages  over  other  formalisms.  The  way  we  model  a  protocol 
is  very  intuitive.  We  simply  list  the  sequence  of  actions  that  each  participant  takes  in  the  protocol.  Unlike 
systems  based  on  logicsF  w  need  not  interpret  the  beliefs  that  e^ch  message  is  meant  to  conveyF  and  w  can 
generate  counterexamples  when  an  error  is  found.  Unlike  term  rewriting  approachesF  w  need  not  construct 
a  set  of  rewrite  rules  to  model  how  an  intruder  can  manipulate  participants  to  generate  new  messages.  We 
simply  model  the  prot,ocol  as  a  set  of  programsF  one  for  eah  participant  in  the  protocol.  Because  we  separate 
the  algorithms  that  maintain  the  intruder’s  knowledge  from  the  state  exploration  algorithmsF  w  also  never 
need  to  encode  the  intruder  for  our  models. 

The  prototype  model  checker  described  here  has  successfully  discovered  previously  published  errors  in 
protocols.  When  run  on  correct  protocolsF  the  model  hecker  takers  a  bit  longer  because  it  ends  up  exploring 
the  entire  reachable  state  spaceFbut  for  the  examples  investigated  so  farFthe  system  still  terminates  in 
about  a  minute.  We  are  confident  that  this  kind  of  exhaustive  simulation  is  a  feasible  and  useful  technique 
for  verifying  security  protocols.  HoweverF there  are  still  many  extensions  that  can  be  investigated  and 
implemented  as  well  as  additional  experiments  to  be  carried  out. 

Despite  that  fact  that  there  is  a  simple  and  straightforward  translation  from  protocol  descriptions  in  the 
literature  into  our  modelling  langiiageF  this  process  is  tedious  and  prone  to  error. We  are  currently  developing 
a  better  interface  that  would  allow  protocols  to  be  specified  exactly  the  same  way  they  are  specified  in  the 
literature.  We  are  also  working  on  defining  a  logic  in  which  to  specify  the  properties  we  are  interested  in 
checking.  We  are  investigating  how  to  add  other  message  operations  such  as  XOR  and  encryption  with 
nomatomic  keys.  While  these  extensions  should  be  possibleF  it  is  not  clear  h(w  these  additions  will  affect 
the  efficiency  of  our  decision  procedure  for  message  derivations. 

Efficiency  is  also  an  important  concern.  CurrentlyF  the  model  hecker  runs  in  an  acceptable  amount  of 
time.  As  we  begin  to  increase  the  number  of  concurrent  protocol  riinsF  and  as  w  increase  the  complexity  of 
the  model  checker  itselfF  w  can  expect  the  execution  time  to  increase  dramatically.  Techniques  that  increase 
the  efficiency  of  the  model  checker  are  necessary  to  combat  this  increase  in  complexity.  In  particiilarF  it  has 
become  clear  that  a  number  of  operations  can  bo  thought  of  as  independent  of  each  otherF  in  the  sense  that 
they  can  be  swapped  in  the  execution  trace  without  affecting  the  rest  of  the  trace.  This  leads  us  to  believe 
that  partial  order  techniques  [20]  can  be  applied.  The  increase  in  efficiencyF  ease  of  useF  and  expressibiljt 
will  prove  useful  in  analyzing  more  complex  protocolsF  including  electronic  commerce  protocols. 
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